redline | 86e79986dc2a94049d06e9501a21d541fdaada04e47e7bf49aaa04bc0479f710

General

Target

Setup 2.exe
Size

9KB
MD5

c2c84226444eb2597f9b000bb59d2db7
SHA1

e9eb9b080059e7ee92c28debbbfcd3560d93f2a2
SHA256

86e79986dc2a94049d06e9501a21d541fdaada04e47e7bf49aaa04bc0479f710
SHA512

fb054e6c659c487fcb86f49798cf59063a86a102fc2af24ecf589c09e9eaae2f253d5e7b533e2133321bb4dfe88ecf71e0cafd1678bcf44a3c3eb4605fc66cc7
SSDEEP

192:JAPr/j+peQbAINi7RrKBAPTXrWfYVjlM4mIgV:yD/j+8QbAT7Rr8sTXCQvcIg

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

45.138.74.121:80

Attributes

auth_value
789c24c515d0ca3018de8d8c611caf08

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/98904-69-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/98904-74-0x00000000000B27CE-mapping.dmp	family_redline
behavioral1/memory/98904-75-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/98904-76-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/608-62-0x0000000000890000-0x00000000016AA000-memory.dmp	family_ytstealer
behavioral1/memory/608-78-0x0000000000890000-0x00000000016AA000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
608	AYRDL.exe
1012	L3Q0R.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/608-62-0x0000000000890000-0x00000000016AA000-memory.dmp	upx
behavioral1/memory/608-78-0x0000000000890000-0x00000000016AA000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
60452	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	Setup 2.exe
1960	Setup 2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 98904	1012	L3Q0R.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Setup 2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Setup 2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup 2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup 2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
98904	AppLaunch.exe
98904	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	Setup 2.exe
Token: SeDebugPrivilege	98904	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 608	1960	Setup 2.exe	28
PID 1960 wrote to memory of 608	1960	Setup 2.exe	28
PID 1960 wrote to memory of 608	1960	Setup 2.exe	28
PID 1960 wrote to memory of 1012	1960	Setup 2.exe	29
PID 1960 wrote to memory of 1012	1960	Setup 2.exe	29
PID 1960 wrote to memory of 1012	1960	Setup 2.exe	29
PID 1960 wrote to memory of 1012	1960	Setup 2.exe	29
PID 1960 wrote to memory of 60452	1960	Setup 2.exe	31
PID 1960 wrote to memory of 60452	1960	Setup 2.exe	31
PID 1960 wrote to memory of 60452	1960	Setup 2.exe	31
PID 60452 wrote to memory of 1684	60452	cmd.exe	33
PID 60452 wrote to memory of 1684	60452	cmd.exe	33
PID 60452 wrote to memory of 1684	60452	cmd.exe	33
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34
PID 1012 wrote to memory of 98904	1012	L3Q0R.exe	34

C:\Users\Admin\AppData\Local\Temp\Setup 2.exe
"C:\Users\Admin\AppData\Local\Temp\Setup 2.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\AYRDL.exe
  "C:\Users\Admin\AppData\Local\Temp\AYRDL.exe"
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Users\Admin\AppData\Local\Temp\L3Q0R.exe
  "C:\Users\Admin\AppData\Local\Temp\L3Q0R.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:98904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "Setup 2.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:60452
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AYRDL.exe

Filesize
4.3MB

MD5
3396ca21ec2620532b08c9823e7a246c

SHA1
8c380dec5387c300b4ccce56a7086d0211f2347d

SHA256
5f76670ab4cddd48de1abf8340799665d88f9d13856bffc79e175170605ce777

SHA512
05b07f13feb6a99ce0457ceedce9795bdebcab81be25d6b351f5222a5afff534939952bae02f5707b549fd8d1fd96027bf00c6d643a67b51b4e3b8ddc32dcef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\L3Q0R.exe

Filesize
475KB

MD5
cbb9bfbaaf3b05cfaeca3f36f23e3e89

SHA1
efe3e26798474754f465c85524088e3d3814f24a

SHA256
f6d09cfdff46132187828ea15db4bd103ed62aec6fe4a1b416f93f49cb14db7c

SHA512
73fa4537c1a9e84d735e73a04da25725430db7235b5e09b59c63e7229b00e25d788d0aab0e5232bedde0105043b70ac092d52325868d239956a9e9605d8d3636

Download Submit
\Users\Admin\AppData\Local\Temp\AYRDL.exe

Filesize
4.3MB

MD5
3396ca21ec2620532b08c9823e7a246c

SHA1
8c380dec5387c300b4ccce56a7086d0211f2347d

SHA256
5f76670ab4cddd48de1abf8340799665d88f9d13856bffc79e175170605ce777

SHA512
05b07f13feb6a99ce0457ceedce9795bdebcab81be25d6b351f5222a5afff534939952bae02f5707b549fd8d1fd96027bf00c6d643a67b51b4e3b8ddc32dcef7

Download Submit
\Users\Admin\AppData\Local\Temp\AYRDL.exe

Filesize
4.3MB

MD5
3396ca21ec2620532b08c9823e7a246c

SHA1
8c380dec5387c300b4ccce56a7086d0211f2347d

SHA256
5f76670ab4cddd48de1abf8340799665d88f9d13856bffc79e175170605ce777

SHA512
05b07f13feb6a99ce0457ceedce9795bdebcab81be25d6b351f5222a5afff534939952bae02f5707b549fd8d1fd96027bf00c6d643a67b51b4e3b8ddc32dcef7

Download Submit
memory/608-62-0x0000000000890000-0x00000000016AA000-memory.dmp

Filesize
14.1MB

Download
memory/608-78-0x0000000000890000-0x00000000016AA000-memory.dmp

Filesize
14.1MB

Download
memory/1960-61-0x000000001C5F0000-0x000000001D40A000-memory.dmp

Filesize
14.1MB

Download
memory/1960-60-0x000000001C5F0000-0x000000001D40A000-memory.dmp

Filesize
14.1MB

Download
memory/1960-54-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/1960-55-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/98904-67-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98904-69-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98904-75-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98904-76-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98904-77-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing